🛡️ Automate user provisioning with SCIM

SCIM provisioning and SSO enforcement are now available on the Custom Plan. Your Identity Provider (Okta or Microsoft Entra ID) can be the single source of truth for who has access to Holistics.

Previously, every user account and group had to be created and maintained manually inside Holistics, separate from your IdP. At enterprise scale, this meant manual invites for every new hire, manual deactivations on offboarding, and constant drift between IdP groups and Holistics groups. Now, your IdP pushes user and group changes to Holistics automatically: users are created on assignment, profiles update on change, and accounts deactivate on removal.

Why this matters

• Automated user lifecycle. Assign someone to Holistics in your IdP and they get an account with the right role. Remove them and the account deactivates. No manual steps.
• IdP group sync. Okta or Entra ID groups push to Holistics as synced groups, with membership changes propagated automatically. Synced groups auto-link to existing manual groups by name.
• Group-to-role mapping. Map IdP groups to Holistics roles (Viewer, Explorer, Analyst, Admin), with least-privilege when a user belongs to multiple groups.
• Clean coexistence with manual setups. Synced and manual users/groups live side by side. Synced entities are read-only in Holistics; manual entities stay editable. The read-only boundary is at the membership level, so you can still clean up pre-SCIM assignments.
• Forced SSO. Disable password login entirely and require all authentication through your corporate IdP, with an emergency admin exception for lockout recovery.

Learn more: SSO & SCIM Provisioning